Directional Shifts: 404 Moves From Project To Process

In my last column, which was published in Compliance Week's November 2005 monthly print magazine, I outlined some of emerging thinking—and changes in direction—regarding compliance with Section 404 of Sarbanes-Oxley (see "Resources, Ownership And Discipline; Key 404 Lessons" in box at right). This month we continue the discussion, now looking at what some companies are doing to shift 404 from a yearly project to an ongoing, readily sustainable process.

As promised, we’ll also review the search for technology solutions, and will look at how companies are—for better or worse—shifting their focus to Section 302 of SOX. And, we’ll look at what’s happening with the cost of compliance, and will see what some organizations are doing to leverage their investment in 404 to gain business benefit.

Project To Process

Companies working toward 404 compliance sustainability are in the midst of an important transition; namely, they’re changing their perspective from one that views 404 as an annual “project,” to one that views 404 as an ongoing “process.” Among the directional shifts are:

More Support, Direction And Control From The Corporate Center. At many companies, common methodologies and tools are being provided by corporate headquarters, along with related training, support and monitoring. This is especially the case at some of the largest multinationals, where efficiencies can be derived—and lessons applied—through global information sharing. But it’s also a trend among strictly domestic companies with multiple segments or locations. That’s because the approach relieves business units from reinventing the wheel, and avoids disparity in documentation and testing—not to mention materiality determinations and remediation procedures.

Knowledge, Terminology And Broad-Based Training. As companies move toward a process-oriented view of 404, personnel throughout the organization must know exactly what they’re doing, and where their individual “piece” fits into the larger 404 process; both effectiveness and efficiency are gained with common organizational knowledge of requirements, responsibilities, expectations, objectives and deadlines. Facilitating that process is a common terminology, which ensures everyone is speaking the same language. This can’t be underemphasized: uniform understanding of “roles and goals” is critical to any ongoing process, and organizational comprehension will break down without a codified corporate SOX lexicon. To those ends, companies are recognizing that ongoing education is critical to a SOX process-improvement environment. While one-time training may be acceptable for a project-based effort, it’s likely not sufficient when the goal is long-term sustainability.

Hardwiring 404 Into Business Processes. To solidify ownership of internal control, business process and functional department owners are baking 404 compliance process into operational and staff procedures. For example, they are building into business processes new protocols for ongoing documentation updates and testing procedures for 404 purposes. This guarantees that 404 is “hardwired” into the corporation at key operational levels, and ensures the process will be maintained and updated accordingly.

The Cultural Shift. In order to successfully ingrain ongoing 404 compliance within the organization, there needs to be a commensurate shift in attitude—that’s with respect to the relevance and importance of 404, the acceptance of individual responsibility, and the monitoring of processes on an ongoing basis. This generally requires an effective change-management process; it also means building accountability into HR performance assessment and compensation protocols.

Effective Use Of Technology. According to some, companies are doomed to repeat their costly Year One SOX 404 mistakes unless those companies make use of technology. This is a dramatic exaggeration; even without sophisticated technology deployed, companies can streamline their compliance processes and make them more efficient. However, there is no doubt that the right technology can enhance both effectiveness and efficiency when it comes to ongoing 404 sustainability.

Technology “Solution”

Readers who have explored the myriad compliance software offerings available know that the term “technology solution” is a misnomer; it’s unlikely that any company can completely achieve all its compliance goals with a single software product.

For all intents and purposes, there are two basic categories of compliance software. The first is “monitoring” software. These applications deal primarily with such matters as authorization protocols, out of balance conditions, attempted accesses or data modifications, and other circumstances or transactions indicating potential trouble. Some of these products can become part of a company’s IT general controls, or can serve as effective monitoring of existing IT controls.

The second main category I like to call 404 support software. These applications may involve serving as a repository for a company’s controls, with linkage to financial reporting objectives and related risks of financial statement misstatements, as required by PCAOB Auditing Standard No. 2. The software may also include information on personnel responsible for controls execution, as well as the nature, ownership, frequency, and results of tests of the controls. Control deficiencies are captured, as are remediation efforts.

Both categories of software may include dashboards that provide high level information with “drill down” capability; the applications also typically provide for automated notification of troublesome conditions.

In connection with “Year One” compliance activities in 2004, many companies documented their control systems and captured testing information using electronic spreadsheets and hard copy. Although some companies decided on specific software products the first time around, most did not. That’s because they were waiting to gain experience with the 404 process, or were holding out for anticipated guidance from the Securities and Exchange Commission and the Public Company Accounting Oversight Board—not to mention their auditors. Many others were waiting for a “second generation” of software applications, or decided to hold off until an expected consolidation of vendors occurred.

As a result, what we’ve seen in 2005 is that most companies fall into either one of two camps:

Same As It Ever Was. The first group is continuing to use the same approach as last year. This is due to any of a number of reasons, not the least of which is the fact that repeating last year’s methodology is the path of least resistance. Others simply lacked the resources to adequately assess the most appropriate software for their purposes; others delayed initiation of the 404 process, making it impossible to implement solutions quickly enough.

Diving In. The second group of companies has decided to implement a software solution to take advantage of automation, despite the fact that they may not have found the “perfect” solution. Some, in fact have implemented both types of solutions discussed above; namely, those that address monitoring, and those that support the 404 process. Use of the monitoring software provides better comfort that IT general controls—particularly those related to data access—are effective, while use of the 404 support software makes documentation, testing and related efforts more effective and efficient.

Shifting To 302

While management has been largely focused on Section 404 compliance, attention has been shifting toward Section 302, giving greater consideration to those requirements. There are two reasons for this.

First, most companies spent last year focused on complying with the massive Year One undertaking of SOX 404. Section 302, on the other hand, seemed to be well covered by established procedures, including the achievements of disclosure committees and the establishment of upward-cascading internal certifications; 404 was simply becoming a larger effort than anyone had expected. Now, however, generals counsel, compliance officers, chief audit executives and CFOs and CEOs are focusing on the fact that wording of the 302 certifications parallels that of Section 404.

Second, the Office of the Chief Accountant of the SEC has indicated that—with Year One of SOX 404 serving as a baseline—its staff expects to give greater attention to 302 compliance. We can expect particular focus, for example, where material weaknesses are reported in the 404 filing, but previously filed 302 reports were “clean.” Questions we can expect to be asked include, “When did the weakness first occur?” “When did management first know of it?” and “Why wasn’t it reported in the preceding 302 report?”

Accordingly, some companies are considering whether the 302 process needs to be strengthened. Some, for example, are spreading some of the SOX 404 work throughout the year, testing pervasive control areas such as IT general controls and the closing process on a quarterly basis. Whether that and other added attention to 302 becomes the norm remains to be seen, based perhaps on whether the SEC provides additional guidance on what is expected.

Cost Reduction, Business Benefit

Many of the actions discussed above (and in last month’s column) have contributed to a reduction in SOX 404 compliance costs. The degree of that reduction, of course, varies significantly, depending on the nature and extent of the actions. Accordingly, some companies anticipate virtually the same level of spend this year as last, while others expect significant reductions.

But business benefits are just as important as compliance cost reduction; or, as many have pondered in recent months, “We’re spending the time and money, so why not get some real business benefit out of 404?” These companies are taking any of several approaches to gaining bottom line benefit:

Streamlining Business Processes. Armed with new information about how business processes actually work—which is often different than they ways those processes were originally designed—management teams are identifying ways to reduce labor and effort, while enhancing process effectiveness. This goes beyond financial reporting aspects, of course, and right to the fundamental operational business processes.

Making Better Use of Data. Companies are discovering that—within their vast and disparate databases—they own information that is valuable for enhancing marketing, customer service and other business objectives.

Better Information for Business Decisions. Many companies are finding that some data they had been utilizing for decision-making was, well, less than reliable. As a result of the 404 process, they have enhanced the accuracy, completeness and relevance of critical data assets, which they are now using to make smarter decisions.

Some companies with which I’ve worked decided early on—in the first year of 404 compliance—to spend a relatively small amount of additional money, and to leverage the focus on internal control over financial reporting to operations and compliance controls. They’ve been successful in enhancing operations for bottom line benefit, and streamlining the cost of complying with a broad range of laws and regulations while making compliance more effective.

Some other companies are moving to an enterprise risk management process, again leveraging the 404 work for even greater operational and compliance benefit. My first hand experience has shown that they’re relying on the COSO Enterprise Risk Management–Integrated Framework as a basis for their initiatives. Space does not allow an airing or how this can work well—and the additional investment required and pitfalls that need to be avoided; suffice it to say that a number of companies have found the effort worth the rewards.

Despite the tremendous effort, with some disruption, we’re seeing progress made in dealing with Sarbanes-Oxley Section 404. No doubt intelligent and proactive managers will continue to find innovative ways of improving the process further. We’ll stay tuned.

The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.